Search

US-12626187-B2 - Learning device, learning method, and learning program

US12626187B2US 12626187 B2US12626187 B2US 12626187B2US-12626187-B2

Abstract

A learning device includes processing circuitry configured to acquire data of which a label is predicted, and reduce, in a model representing a probability distribution of the label of the acquired data, a rank of a Fisher information matrix for the data to a value less than a predetermined value and learn the model.

Inventors

  • Masanori Yamada
  • Sekitoshi KANAI
  • Tomokatsu Takahashi
  • Yuki Yamanaka

Assignees

  • NTT, INC.

Dates

Publication Date
20260512
Application Date
20200420

Claims (9)

  1. 1 . A learning device comprising: processing circuitry configured to: acquire training data of which a label is predicted; generate a model, representing a probability distribution of the label of the training data, to resist an adversarial example by: increasing a temperature in a Boltzmann distribution to a value greater than 1 in the probability distribution, and learning the model; receive input data of which a label is to be predicted; and predict the label of the input data by using the learned model.
  2. 2 . The learning device of claim 1 , wherein the processing circuitry is further configured to perform the learning using the adversarial example that is generated by superimposing noise on the training data.
  3. 3 . The learning device of claim 1 , wherein the processing circuitry is further configured to perform the learning by generating the adversarial example using a first temperature value in the probability distribution and updating the model using a loss function generated with a second temperature value that is greater than the first temperature value.
  4. 4 . The learning device of claim 3 , wherein the first temperature value is 1.
  5. 5 . The learning device of claim 1 , wherein the processing circuitry is further configured to predict the label of the input data by setting a temperature value in the probability distribution to 1.
  6. 6 . The learning device of claim 1 , wherein the processing circuitry is further configured to perform the learning by performing an iterative process of generating the adversarial example and updating the model until a loss function converges.
  7. 7 . The learning device of claim 1 , wherein the processing circuitry is further configured to perform the learning by reducing a loss function that is based on a true probability of the label of the training data and a probability predicted by the model.
  8. 8 . A learning method which is executed in a learning device, the learning method comprising: acquiring training data of which a label is predicted; generating a model, representing a probability distribution of the label of the training data, to resist an adversarial example by: increasing a temperature in a Boltzmann distribution to a value greater than 1 in the probability distribution, and learning the model; receiving input data of which a label is to be predicted; and predicting the label of the input data by using the learned model.
  9. 9 . A non-transitory computer-readable recording medium storing therein a learning program that causes a computer to execute a process comprising: acquiring training data of which a label is predicted; generating a model, representing a probability distribution of the label of the training data, to resist an adversarial example by: increasing a temperature in a Boltzmann distribution to a value greater than 1 in the probability distribution, and learning the model; receiving input data of which a label is to be predicted; and predicting the label of the input data by using the learned model.

Description

CROSS-REFERENCE TO RELATED APPLICATION The present application is based on PCT filing PCT/JP2020/017115, filed Apr. 20, 2020, the entire contents of which are incorporated herein by reference. TECHNICAL FIELD The present invention relates to a learning device, a learning method, and a learning program. BACKGROUND ART In recent years, machine learning is very successful. In particular, with the emergence of deep learning, machine learning is a dominant method in the fields of images and natural language. On the other hand, it is known that deep learning is vulnerable to an attack by an adversarial example having malicious noise. As the mainstream of a countermeasure against the adversarial example, adversarial training is known (see NPLs 1 to 4). CITATION LIST Non Patent Literature [NPL 1] D. P. Kingma, et. al., “Auto-Encoding Variational Bayes”, [online], arXiv:1312.6114v10 [stat. ML], May 2014, [retrieved on Mar. 31, 2020], the Internet <URL: arxiv.org/pdf/1312.6114.pdf> [NPL 2] H. Zhang et. al., “THE LIMITATIONS OF ADVERSARIAL TRAINING AND THE BLIND-SPOT ATTACK”, [online], arXiv:1901.04684v1 [stat. ML], January 2019, [retrieved on Mar. 31, 2020], the Internet <URL: arxiv.org/pdf/1901.04684.pdf> [NPL 3] F. Tramer, et. al., “Adversarial Training and Robustness for Multiple Perturbations”, [online], arXiv:1904.13000v1 [cs. LG], April 2019, [retrieved on Mar. 31, 2020], the Internet <URL: arxiv.org/pdf/1904.13000v1.pdf> [NPL 4] M. I. Belghazi, et. al., “Mutual Information Neural Estimation”, [online], contribuarXiv:1801.04062v4 [cs. LG], June 2018, [retrieved on Mar. 31, 2020], the Internet <arxiv.org/pdf/1801.04062.pdf> SUMMARY OF THE INVENTION Technical Problem However, in conventional adversarial training, it is known that a model obtained by the learning (hereinafter described as adv model) is lower in generalization capability than a model obtained by normal learning (hereinafter described as clean model). In addition, a countermeasure against an attack called a blind spot attack which attacks a weak point in the generalization capability is a problem. The present invention has been made in view of the foregoing, and an object thereof is to learn a model which is robust to an adversarial example and is not fooled by a blind spot attack. Means for Solving the Problem In order to solve the above problem and attain the object, a learning device includes: processing circuitry configured to: acquire data of which a label is predicted, and reduce, in a model representing a probability distribution of the label of the acquired data, a rank of a Fisher information matrix for the data to a value less than a predetermined value and learn the model. Effects of the Invention According to the present invention, it becomes possible to learn the model which is robust to the adversarial example and is not fooled by the blind spot attack. BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a schematic view showing, by way of example, the schematic configuration of a learning device. FIG. 2 is a flowchart showing learning processing procedure. FIG. 3 is a flowchart showing detection processing procedure. FIG. 4 is a view for explaining an example. FIG. 5 is a view for explaining the example. FIG. 6 is a view for explaining the example. FIG. 7 is a view showing, by way of example, a computer which executes a learning program. DESCRIPTION OF EMBODIMENTS Hereinbelow, an embodiment of the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited by the embodiment. In addition, in the description of the drawings, the same portions are designated by the same reference numerals and shown. [Configuration of Learning Device] FIG. 1 is a schematic view showing, by way of example, the schematic configuration of a learning device. As shown by way of example in FIG. 1, a learning device 10 is implemented by a general-purpose computer such as a personal computer, and includes an input unit 11, an output unit 12, a communication control unit 13, a storage unit 14, and a control unit 15. The input unit 11 is implemented by using an input device such as a keyboard or a mouse, and inputs various pieces of instruction information such as processing start to the control unit 15 in response to an input operation by an operator. The output unit 12 is implemented by a display device such as a liquid crystal display or a printing device such as a printer. The communication control unit 13 is implemented by an NIC (Network Interface Card) or the like, and controls communication between an external device such as a server and the control unit 15 via a network. For example, the communication control unit 13 controls communication between a management device which manages target data to be learned and the control unit 15. The storage unit 14 is implemented by a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optica